Forum Discussion
NimbostratusOpening a Port Range
This may be quite simple for the BIGIP pros but I'm not sure of the best way to do what I need.
I have an FTP site in IIS with a data channel port range defined (30000-30300) and the IP address of the external firewall i.e. the TMG listener IP and SSL is required. I also have an HTTPS (443) site bound to the FTP site so the directory can be browsed and HTTPS download links provided.
In TMG to access the HTTPS site is a simple web publishing rule and I can replicate this on F5 using the http iApp easily enough.
But also currently in TMG I have a server publishing rule that applies from [anywhere] to [ftp server IP] using the listener IP defined for the FTP service on the external network. In addition this rule has a custom protocol with the port ranges opened for both inbound and outbound connections 21, 989-990, 30000-30300. This is to allow me to configure an FTP client (Filezilla) to use FTPES (explicit/passive) for uploads and downloads and works fine.
How though so I configure this second part on my F5 LTM?
3 Replies
IheartF5_45022Nacreous
I would try a network forwarding virtual server with an iRule similar to this attached;-
when CLIENT_ACCEPTED { if {!([TCP::local_port] >= 30000 && [TCP::local_port] <= 30300)} { reject } }
veatoAs I also have a virtual server for 443 traffic to the same server would this iRule intefere with that and reject the 443?
Stanislas_Piro2Cumulonimbus
Hi,
what are your published services?
- HTTPS
- FTP
if I understand your request, you want to allow FTP data connections?
If you define a FTP virtual server with ftp profile, all dynamic tcp connection related will be allowed without any other configuration.
To answer your last comment, if you create a VS with Any port and another with 443 port, port 443 will be handled by HTTPS VS and all other ports by VS Any
